This article explains why the Okta System Log displays different events for an incorrect Okta Verify push notification selection, depending on whether the action occurs through a browser or a direct Application Programming Interface (API) call. When a user selects an incorrect number in a browser, the System Log records the following event:
invalid_credentialHowever, when the same action is performed programmatically via an API call, the log records show:
User rejected Okta Verify push.
- Okta Verify
- Okta API
- System Log
This difference in logged events occurs because the authentication flow is handled distinctly when initiated programmatically. In an API-driven flow, factor verification is a separate step from primary authentication. This step is managed by the /api/v1/authn/factors/${factorId}/verify endpoint, which is designed to return one of four specific results: WAITING, SUCCESS, REJECTED, or TIMEOUT. When a user selects the wrong number in this flow, the interaction is interpreted as a REJECTED state by the endpoint.
This behavior is expected and does not indicate a system error. The discrepancy in the System Log events is a direct result of the different ways Okta's authentication architecture processes browser-based interactions versus direct API calls.
Related References
-
For more detailed information on the API factor verification process, refer to the Developer Documentation.
